‘Junk gun’ ransomware: Peashooters can still pack a punch

Sophos X-Ops identified 19 low-cost, independently produced “junk-gun” ransomware variants advertised on English-language criminal forums, many sold as one-off builds or offered as simple builders/source code. These kits often include basic encryption (AES/RSA), optional stealers/keyloggers, simple anti-analysis checks, and tactics such as deleting shadow copies, creating a measurable risk to small businesses and inexperienced defenders. #EvilExtractor #Kryptina

Keypoints

Researchers found 19 distinct low-cost ransomware variants advertised between June 2023 and Feb 2024 across four forums, many sold as single-build purchases rather than RaaS.
Common capabilities include AES-256/RSA encryption, multithreaded encryption, deletion of volume shadow copies, persistence, and occasional anti-VM/anti-debugger checks.
Some variants bundle secondary malware (stealers, keyloggers, RATs) and exfiltration components (e.g., FTP server), increasing impact beyond encryption alone.
Development languages skew toward easier-to-learn stacks (.NET/C#, C++, C, Go, Python), reflecting lower developer skill levels and rapid DIY builds.
Evidence of in-the-wild use is limited but includes Evil Extractor (documented) and seller/buyer claims for Ergon, Loni, and Lolicrypt.
Actors discuss target selection techniques (Shodan to find RDP/SSH), physical deployment (USB sticks), and basic monetization tactics aimed at small businesses and individuals.
Detection claims vary; several adverts reference Windows Defender or online scanner results, but many kits remain cheap (median ~$375) and accessible despite detection rates.

MITRE Techniques

[T1486] Data Encrypted for Impact – Used to encrypt victim files with common algorithms (e.g., AES-256, RSA); ( ‘AES-256 and/or RSA-2048 were, unsurprisingly…the most popular’ ).
[T1490] Inhibit System Recovery – Removal of recovery artifacts to prevent restoration by victims; ( ‘delete shadow copies’ ).
[T1497] Virtualization/Sandbox Evasion – Anti-VM and anti-debugger checks included in some builds to hinder analysis; ( ‘Anti Virtual Machine’ ).
[T1070] Indicator Removal on Host – Self-deletion or self-destruct routines to remove traces after execution; ( ‘self-destruct, self-deletion’ ).
[T1548.002] Abuse Elevation Control Mechanism: Bypass UAC – Some adverts claim UAC bypass capability to escalate privileges during deployment; ( ‘UAC bypass’ ).
[T1056] Input Capture – Bundled keylogger features capture keystrokes and credentials on infected hosts; ( ‘keylogger’ ).
[T1595] Active Scanning – Use of Shodan and similar tools to find exposed RDP/SSH hosts for targeting; ( ‘considered looking on Shodan … to identify vulnerable RDP and SSH servers’ ).
[T1027] Obfuscated Files or Information – Use of crypters to obfuscate payloads and evade static detection; ( ‘crypter’ ).
[T1041] Exfiltration Over C2 (FTP) – Some kits advertise built-in FTP servers or exfil capabilities for stolen data; ( ‘FTP server’ ).
[T1091] Replication Through Removable Media – Guidance and recommendations for deploying ransomware via USB sticks for local, physical infections; ( ‘putting ransomware on a USB stick’ ).

Indicators of Compromise

[Malware variant names] forum adverts and kit listings – Evil Extractor, Kryptina, and 17 more variants observed on four forums.
[URLs / Reports] reference material – https://news.sophos.com/en-us/2024/04/17/junk-gun-ransomware-peashooters-can-still-pack-a-punch (Sophos report linked in article).
[Programming languages] build artifacts / developer notes – C#, C++, and other languages used in builds (Go, Python, C were also cited).
[AV/detection claims] seller-provided scan results – Windows Defender mentions and sample scan results like “Defender” and “2/70 VT” used in adverts to indicate (non-)detection.

Cheap “junk-gun” ransomware packages observed on criminal forums are technically straightforward but diverse: many implement standard symmetric/asymmetric encryption (AES-256, RSA 2048/4096), sometimes uncommon ciphers (ChaCha20, XTEA, Salsa20), and multithreaded encryption for speed. A minority bundle additional functionality—stealers, keyloggers, RATs, FTP exfil servers—and advertise features such as deletion of volume shadow copies and persistence mechanisms; a few claim anti-VM/anti-debugger protections, UAC bypasses, crypters for obfuscation, and self-deletion to hinder analysis and recovery.

Deployment and targeting techniques discussed by forum users include using Shodan to locate exposed RDP/SSH services, direct physical infection via USB sticks (and social engineering for premises access), and targeting small businesses or individual users with lower defenses. Many samples are one-off builds or sold with source/builders in languages with lower learning curves (notably .NET/C#), which lowers the barrier for less-skilled actors to execute the full attack chain without relying on affiliates or IAB infrastructure.

From a defensive perspective, these kits complicate threat tracking: researchers face sample scarcity, inconsistent naming (some vendors reuse known family names), and limited public reporting because victims tend to be small organizations or individuals. Priorities for defenders include detection and blocking of credential-stealing components (input capture), monitoring for shadow copy deletion and rapid file encryption behaviors, restricting/exposing RDP/SSH services, hardening removable media policies, and tracking emerging variants and forum activity to anticipate capability growth among lower-tier actors.